| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
musl stdlib (Alpine Linux) doesn't know about canonicalize_file_name,
replace with equivalent realpath calls
|
| | |
|
| |\
| |
| | |
add PATH_FCOPY to private-lib automatically
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
restore 45304621a6c600d8e30e98bfbef05149caaf56c5, but now run
fldd as root user. This became necessary because in the meantime
read permission on helper executables was removed.
Puts infrastructure in place to add other helper binaries to
private-lib as well, should the need arise.
|
| |\ \
| | |
| | | |
Upstreaming a set of fixes from Sailfish's packaging
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Check that the directory exists before attempting to mount it.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Lacking linefeed chars cause messages to get concatenated.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Firejail uses file bind-mounts to filter /etc/passwd and /etc/group
content. If private-etc is used, these mounts are left underneath
the /etc directory mount and this seems to be causing problems in
devices with older kernels: attempts to modify passwd or group
data fails with EBUSY.
Make it possible to perform fs_private_dir_list() actions in two
separate phases.
Undo the file mounts in /etc before mounting private-etc content.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
These have little consequences as the tool exits anyway,
but fs_copydir() leaks memory on success path and check()
on failure path.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When constructing sandbox fs, /etc/mtab which is symlink to
/proc/self/mounts gets resolved as /proc/PID/mounts. Where
PID is not the pid of the process that is going to get
executed in the firejail -> the result is broken/unaccessible
symlink from the application point of view.
Use /proc/self/xxx type symlink target if it resolves similarly
as the /proc/PID/xxx type would at the time of mapping.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
| |\ \ \
| | | |
| | | | |
Minor fixes for vmware
|
| | | | | |
|
| | |_|/
|/| | |
|
| |/ / |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
as no length checks are performed any more on environment variables,
remove obsoleted code
|
| | |
|
| |\
| |
| | |
Add first version of zsh completion
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Don't have duplicate descriptions and put = signs where they belong to
zsh completion function now dynamically adjusts for options (e.g. no --apparmor option without AppArmor configured)
No EXTRA_CFLAGS for cpp
Found main.c which does the argument processing. Moved some arguments into the correct #ifdef blocks
Profile selection now much better
Not more cpp. Using preproc.awk instead.
Updated bash firejail command completion to add profiles
ignore bash and zsh dynamically created completion scripts
Moved bash/zsh completions out of ALL_ITEMS to fix make install
Cleanup
|
| | |
| |
| |
| |
| | |
readability/making it more obvious buffers
are properly initialized
|
| | | |
|
| | |
| |
| |
| |
| | |
the check was introduced some time ago in fs_x11(), but
fs_chroot() does the same thing and needs it as well
|
| | |
| |
| |
| |
| |
| |
| | |
With the recent changes to environment variable handling, it should be
safe to always allow empty variables.
Closes: #3965
|
| | | |
|
| |\ \
| | |
| | | |
add support for faccessat2 syscall
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ / |
|
| | | |
|
| |\ \
| | |
| | | |
Email part (2)
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Save all environment variables for later use in the application, clear
environment and re-apply only whitelisted variables for the main
firejail process. The whitelisted environment is only used by C
library. Sandboxed tools will get further variables used
internally (FIREJAIL_*).
All variables will be reapplied for the firejailed application.
This also lifts the length restriction for environment variables,
except for the variables used by Firejail itself or the sandboxed
tools.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Update disable-programs.inc
* Create calligragemini.profile
* Update calligra.profile
* Update calligra.profile
* Update firecfg.config
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL
fseccomp: use correct BPF code for errno action
firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed
Closes: #3933
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Update disable-programs.inc
* Update disable-programs.inc
* Update firecfg.config
* Create avidemux.profile
* Update avidemux.profile
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
New profile for CoyIM
|
| | |/ / |
|
| |\ \ \
| | | |
| | | | |
Add profile for kdiff3
|
smitsohu
netblue30
Tomi Leppänen
Simo Piiroinen
Neo00001
startx2017
rusty-snake
Harald Kubota
Topi Miettinen
glitsj16
bbhtt
irandms
Nex